Subject: Cross-Site Vulnerabilities (Still) Found in Major Web Sites Date: Mon, 21 Jan 2002 14:40:38 +0700 From: Watung Arif <[email protected]> To: [email protected]
I haven't tested any other version of this software yet.
他のバージョンについては調べてない
PaintBBS Server is actually up to v2.40. So if anyone wants to continue the investigation have fun! :p
今はもうバージョン2.4にまであがってる。もし調査したければ楽しんでやってくれ(プ
Problem Description:
問題の詳細
This is one of those default configuration problems.
初期設定のミスだ。
A malicious person can read the oekaki config file from the web then find the encrypted password then crack it. Thus giving them admin access to the server.
If that didn't work then I could set my web browser to the /oetaki/ folder then see what the .conf files are named and access them. Once I could view the config file I would see something like this...
Now that I have the encrypted password I would take a standerd DES password cracking program (I prefer John the Ripper) since PaintBBS uses the crypt() function and get the goods.
The compose.php script allows parameters to be passed as GETs. Therefore including the following in an HTML mail will send a message to [email protected]:
rsync is a powerful tool used for mirroring directory structures across machines. rsync has been found to contain several signed/unsigned bugs in its I/O functions which are remotely exploitable. A remote user can crash the rsync server/client and execute code as the user running the rsync server or client.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0048 to this issue.
All users of rsync should upgrade their packages. In addition rsync server administrators should consider using the "use chroot", "uid", and "read only" options, which can significantly reduce the impact of a security problem in rsync or elsewhere.
Thanks go to Sebastian Krahmer for providing a patch for this vulnerability and to Andrew Tridgell and Martin Pool for their rapid response.
Before applying this update, make sure all previously released errata relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.
Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.
またRed Hat Networkを経由して、このアップデートが可能です。 多くの人が、Red Hat Network利用してアップデートを適用する方法の方が容易である 事に気がつくでしょう。Red Hat Networkを使用するには、 Red Hat Update Agentを起動して次のコマンドを
The installation script provided with tarentella handles utility packages during installation insecurely. A root owned binary "gunzip" is created in /tmp with world writeable permissions, the pid is appended to the filename.
There is a race condition between when gunzip is extracted and used during installation. At which time a malicious local user could inject code to compromise the system quickly.
To:BugTraq Subject:Identifying PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall Installed (no need to be enabled) on Microsoft Windows Based OSs Date:Jan 25 2002 6:47PM Author:Ofir Arkin <[email protected]> Message- ID:<[email protected]>
Subject: Identifying PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall Installed (no need to be enabled) on Microsoft Windows Based OSs
Network Associates PGP Corporate Desktop version 7.1 alters the TCP/IP stack of the MS operating system it is installing its PGPfire Personal Desktop Firewall product on.
This alternation occurs even if PGPfire is not being enabled.
The type of alternation we have absorbed is with an ICMP Port Unreachable Error Messages received from a Microsoft Windows machine using the program.
The following tcpdump trace was produced with Xprobe against a Microsoft Windows 2000 SP2 with the PRE-SP3 patches installed, based machine:
Network AssociatesのPGP Corporate Desktop version 7.1は、その製品に含まれるPGPfire Personal Desktop Firewallをインストールした場合、マイクロソフトのオペレーティングシステムの TCP/IPスタックを改竄します。
この改竄は、PGPfire Personal Desktop Firewallを利用していない場合にも発生します。
我々を虜にして止まないこの種の改竄は、PGP Corporate Desktop 7.1を使用している マイクロソフト社ウィンドウズマシンからICMP Port Unreachable Error Messagesを伴っています。
以下のtcpdumpのトレース結果は、Xprobeを使用して、マイクロソフトWindows 2000 SP2に the PRE-SP3 patchesをインストールしたマシンに対して行った物です。
If you look at the ICMP Error message, look at the part, which it starts to echo the original message:
4500, 0062, 70a0 AND THAN 0000!
This behavior is also common with ULTIX based machines. But it is very easy to differentiate the ULTRIX based machines from the traces produced against machines using Network Associates PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall installed (no need to be enabled). If we will examine the echoed UDP Header, for example, with the ULTRIX based machines this echoed field value will be zero, while with the machines running Microsoft Windows operating systems with Network Associates PGP Corporate Desktop 7.1 with the PGPfire Personal Desktop Firewall installed this field will be echoed correctly.
Dangers: Ability to pinpoint Microsoft Windows Operating Systems using Network Associates PGP Corporate Desktop 7.1 with the PGPfire Personal Desktop Firewall installed (no need to be enabled), since this type of echoing error integrity is almost unique.
If the firewall is not being used, or if it is running in a not secure mode an attacker might use this information to maliciously attack a victim's machine.
Vendor Response: Since this is an "Information Leakage" problem no patch will be released for version 7.1. This is already fixed on the upcoming PGP Corporate Desktop software version 7.5.
Remedies: Just enable one of the PGPfire security policies of your choice, and check it does not allow ANY ICMP Error messages from your protected machine to the outside world.
ベンダの回答:これは”情報漏洩”問題なので、バージョン7.1用のパッチはリリースを行いません。 今度のPGP Corporate Desktop software version 7.5では既に修正されています。
Summary ------- Hosting Controller is an all in one administrative hosting tool for Windows based servers. It automates all hosting tasks and gives full control of each website to the respective owner. A vulnerability exists in Hosting Controller which could enable anyone to confirm the validity of usernames and crack the password's of known users via brute forcing method.
If a non-existing username is entered, the form returns the message: "The user name could not be found". Anyone can try this login process for finding an existing user name. When an existing username is entered, but the password supplied with it was incorrect, the form returns the message: "The user has entered an invalid password". So now, the attacker may launch a brute force attack on the password entry, for the known username. I should point out that, generally domain names or related variations are used as usernames in Hosting Controller. So it is even possible to easily predict the username. Once logged in, the attacker will have total control over the web site.
Solution -------- The vendor replied within 12 hours after the contact,stating they would release a patch within 1-2 weeks which will probably be based on the first of the below suggested solutions. Hosting Controller managers were highly responsive to this advisory submission and acknowledged the security vulnerability in the Hosting Controller programme. They responded quickly and professionally which is a really good action that every vendor should take in such occasions.
1. A practical solution might be limiting login tries from the same IP, on a time basis. Eg: 3 wrong password entries from the same IP within an hour, may trigger such a protection.
2. The login form might return a message like "Wrong username or password", if either of the username or the password entry is wrong.
3. Assignment of hardly guessable usernames and passwords, and changing of passwords in a period of time might also be a quick idea.
4. Also the path to the Hosting Controller might be changed to a non-default path or perhaps the path might be named with random character sequences.
Intro: while doing some troubleshoting i found a bug on a compaq evo n600c, with an integrated 802.11b card connected via usb (on the back of the display) running as Intel(R) PRO/Wireless 2011B LAN USB Device.
幾つかのトラブルシュートをしている際に、Intel(R) PRO/Wireless 2011B LAN USBデバイスなど (ディスプレイの背面についている)usbを介して接続されている統合型の802.11bカードが装備されている、 compaq evo n600c上でバグを発見しました。
Description: the WEP-Key ist stored plain to the registry. the permission the the specific key is weak enough that every local user has read access and can extract it via regedit.exe or an equivalent tool. a driver from other vendors (as example: Actiontec PrismII)stores the 128bit key in a encrypted form to the same place in the registry.
Easy way: if you open up the properties dialog of your WLAN-Card and click to the "Advanced" tab, you can find an entry dislaying the WEP-Key plaintext (only as administrator). a normal user don't have access to this "Advanced"tab. this happened with the latest driver version from Compaq Support Page (version 1.5.16.0). I tried to get the latest driver from intel which is Version 1.5.18.0 (downloaded on 24th January 2002). The newer release fixed one part by not showing the entry in the "Advanced" tab.
Everytime working way: レジストリ表示&ユーザー名:パーミッションの適用については一部省略。
(no matter which of the 2 noted driver versions used) 上記の2バージョンのドライバ使用時には問題はなかった
you find the string entry "DefaultKeys"="364e01815b300d8038abc5ff00000000000000" 文字列の入力が発見できると思います。 where the first 12 Hex-values show the WEP key in plaintext. "364e01815b300d8038abc5ff" 16進数で先頭から12文字分平文でWEPキーが表示されています。
on another system with the new driver (1.15.18.0)added additional key's under the same context noted above: "Profiles\Default\WepKey" "Key128"="2544801583660d7009abcdef00000000000000" "DefKeyId128"="1
新しいドライバ(1.15.18.0)の別のシステムの場合、同じ部分にキーが追加されていました。
if this wep-key belongs to anyone, i apologize. this key is free invented from my fingers on the keyboard!
以下の環境でテストしました。 Windows NT 4.0 SP4,SP6a, 2000 Professional SP2, XP Pro
I have determined that the following versions of Norton AntiVirus will not follow the deep path during a complete scan: 以下のバージョンのNorton AntiVirusは、コンプリートスキャン中、深いパスまで フォローしていないと考えています。
Norton AntiVirus 5.0, 7.5.1, 8.00.58
I suspect that other virusscanners will encounter the same "bug" so you might try the sample script that i created. Additionally, other tools (quotamanagers,inventory tools etc) that gather information from a NTFS partition might reveal the same bug.
After running the script below, remove the substituted drive (SUBST Q:/D) and run a full scan on your C-partition. I suspect that the Eicar-virus will not be found. Additionally, re-create the substituted drive and re-run the scan. Under normal conditions the Eicar-virus will be found and removed (depending on your settings). As far as i can see, there is no real remedy against this exploit. I hope this message will pass through the proper channels, so the responsible parties will act on this.
Responses on this posting at my address are welcome.
McAfee Virusscan V4.5.1 running on NT4.0 SP6a seems vulnerable to the same trick. NT4.0 SP6a上のマカフィーウィルススキャンV4.5.1も同じトリックに対し脆弱なように思われ
Virusscan found eicar1 but not eicar2. Worst thing is, it just silently stopped (no error it couldn't go 'deeper') and claimed there where no more infected items. EICAR1は発見できたけどEICAR2は、発見出来なかった。最悪なことに 固まったYO(エラーじゃないが深いパスには、もう逝けないよ) これ以上のインパクトあるものはちょっとないなぁぐらいの意味かなぁ
Subject: Web Browsers vulnerable to the Extended HTML Form Attack (IE and OPERA) Date: Thu, 7 Feb 2002 02:50:43 +0100 From: "obscure" <[email protected]> To: <[email protected]>
ウェブブラウザ(IEとOPERA)拡張HTMLフォーム攻撃に対する脆弱性
対象アプリケーション: Internet Explorer 6 and older versions Opera 6.0 and older versions
可能な攻撃: クッキーの盗聴や内部ネットワークに関する情報の漏洩など
ベンダーの対応状況: Internet Explorer - M$は今せっせとパッチを作っている。そろそろ出るかも Opera - 次のバージョンで直るかも
From: "Adonis.No.Spam" <[email protected]> To: "BUGTRAQ" <[email protected]> Date: Fri, 15 Feb 2002 11:22:30 -0500 Subject: Windows XP Remote DOS attacks with SYN Flag. Make CPU 100 %
"I would like you to join me in thanking all the people at Apple who've worked so hard to create all these new products." Then he added, "I want to thank the families and the spouses of all the people at Apple. Because I know you'd like to have us around a little more."
文脈が無いと解りにくいが、最後の部分が完全な誤訳。 (こういう誤訳が何十もあるのか?)
■ Two years later, C&G closed its doors. 「その二年後、C&Gはドアを閉じた。」(井口耕二 直訳) 正しくは「解散した」「廃業」「撤退」「閉店」「倒産した」「店をたたんだ」・・・
■ 「砂の中に隠しているわれわれの頭を引っ張り出そうではないか」(井口耕二 直訳)と 訳文にあって、私はすぐに bury one's head in the sand(現実から目を背ける)という慣用句が思い浮かんで・・・ これは日本語話者には、まったく意味不明ですよね。(直訳者にも意味不明でした。チャンチャン)